noro wrote: > hi, > > i try use iptables connlimit, > > # iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 16 > --connlimit-mask 24 -j DROP > iptables: Unknown error 4294967295 > > where is problem ? > thanks > > > # rpm -qa | grep iptables > iptables-1.3.5-4.el5 > > # uname -a > Linux test 2.6.18-92.1.1.el5 #1 SMP Sat Jun 21 19:04:27 EDT 2008 i686 > i686 i386 GNU/Linux > Hi. The problem isn't yours alone. Despite the man page, there is no support for the iptables connlimit match in CentOS 5 nor any previous version. The real issue is that, due to the way RH builds iptables(*), there have been longstanding disparities(**) between the iptables userspace tool and the kernel. For example, in Fedora 6/RHEL 5/CentOS 5, although there is an iptables module in /lib/iptables/libipt_connlimit.so which supports the connlimit match in iptables, there is no corresponding netfilter module in /lib/modules/(version)/kernel/net/ipv4/netfilter/ to handle it in the kernel. Fedora 3/RHEL 4/CentOS 4 have the same problem. Other disparities exist as well. Anyway, since there is no stock kernel support for connlimit, the iptables module included in these distros is rather useless to you. :( The kernel module is not included in the centosplus kernel either, so if you really must have connlimit working on CentOS 5 there are three options: 1. Upgrade your kernel to a newer version. The connlimit module finally went into mainline at kernel v2.6.23. http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23 IIRC, Fedora 7 doesn't support connlimit in the kernel either, but Fedora 8 and 9 do. 2. Patch it and maintain your own build. See http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit 3. Find a pre-built module maintained elsewhere. I only know of one repository for RHEL4: http://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-4/stable/ Please note that the CentOS team won't support non-stock kernels. Sorry for the bad news and the long message with irrelevant details (they're for the list archive and googlers). Best Regards, PWR (*) https://bugzilla.redhat.com/show_bug.cgi?id=191331#c8 (**) Some more examples: https://bugzilla.redhat.com/show_bug.cgi?id=253014 http://linuxczar.net/wordpress/archives/67 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos